On 20 June 2019, the United States conducted a major cyberattack against Iran in response to Iran’s (alleged) attacks on oil tankers in the Hormuz Strait and the downing of an American surveillance drone. The attack was widely reported at the time, but on 28 August the New York Times published important new details, which included information about the legal-strategic thinking of the Americans. Specifically, it was reported that the US cybercampaign against Iran was “calibrated to stay well below the threshold of war”. Translated into legalese, this seems to imply that the Americans aim to keep their activities at a level that undoubtedly fall short of legal thresholds like article 2(4) of the UN Charter, which defines use of force, and common article 2 of the Geneva Conventions, which de facto triggers the laws of war. In this post, I discuss whether the Americans succeeded in keeping their distance from such thresholds.

The attack

In the original reporting on the attack by Yahoo! News, it was noted that the operation targeted “an Iranian spy group” with “ties to the Iranian Revolutionary Guard Corps”, which supported attacks on commercial ships in the Hormuz Strait. The precise object of attack was not specified, but it was mentioned that the group had “over the past several years digitally tracked and targeted military and civilian ships passing through the economically important Strait of Hormuz”.

The New York Times’ report explains that the cyberattack successfully “wiped out a critical database used by Iran’s paramilitary arm to plot attacks against oil tankers and degraded Tehran’s ability to covertly target shipping traffic in the Persian Gulf, at least temporarily”. The Iranians, it is noted, are “still trying to recover information destroyed in the June 20 attack and restart some of the computer systems — including military communications networks — taken offline”. Accordingly, the attack seems to have crippled the targeted system in a way that has taken it offline and, presumably, rendered it useless for months. The effects of the attack were “designed to be temporary”, officials said, but had “lasted longer than expected”. In terms of the specific target of the attack, it was reported that the target was the Iranian Revolutionary Guards’ intelligence group. Read the rest of this entry…

On October 4, the United Kingdom’s National Cyber Security Centre (NCSC), a division of the GCHQ, issued a news release attributing multiple cyber campaigns to Russia’s military intelligence service, the GRU. They were, according to the NCSC, designed to ‘undermine [the] international sporting institution WADA [World Anti-Doping Agency], disrupt transport systems in Ukraine, destabilise democracies and target businesses’.

The release was notable in two regards. As the campaigns were conducted by the GRU, an organ of the Russian government, Russia is legally responsible under the law of State responsibility for any violations of international law that may have occurred. Second, the release stated that the operations were ‘conducted in flagrant violation of international law’. Indeed, Foreign Secretary Jeremy Hunt, whom the release quoted, observed, ‘[t]his pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences’.

Unfortunately, neither the NCSC nor the Foreign Secretary delineated those rules of international law that Russia allegedly violated or otherwise undermined. In this post, we attempt to tease loose the legal significance of the operations by measuring them against the recently enunciated UK positions on international law in the cyber context. Attorney General Jeremy Wright set forth these positions in a 23 May Chatham House speech. We first highlight the UK approach to the key international law prohibitions that are relevant vis-à-vis the Russian operations. Second, we assess the operations themselves against the UK position on these legal rules. Finally, we conclude by making the point that legal policy decisions with respect to cyberspace may prove a double-edged sword. Compelling reasons may exist for adopting particular positions regarding international law norms in cyberspace, but seldom are those positions cost-free. In particular, we suggest that the United Kingdom’s rejection of a rule requiring respect for the sovereignty of other States eliminates its most defensible basis for arguing that the Russian cyber campaigns undermined international law. Other States should bear this in mind before following suit.

The recent “NotPetya” cyber-operation illustrates the complexity of applying international law to factually ambiguous cyber scenarios. Manifestations of NotPetya began to surface on 27 June when a major Ukrainian bank reported a sustained operation against its network. The Ukrainian Minister of Infrastructure soon announced ‘an ongoing and massive attack everywhere’. By the following day, NotPetya’s impact was global, affecting, inter alia, government agencies, shipping companies, power providers, and healthcare providers. However, there are no reports of NotPetya causing deaths or injuries.

Cybersecurity experts have concluded that despite being initially characterized as a ransomware attack similar to WannaCry and Petya, NotPetya was directed at specific systems with a purpose of ‘causing economic losses, sowing chaos, or perhaps testing attack capabilities or showing own power’. Additionally, most agree that Ukraine was the target of the operation, which bled over into other States. The key question, however, is the identity of the attacker. NATO Cooperative Cyber Defence Centre of Excellence experts have opined that ‘NotPetya was probably launched by a state actor or a non-state actor with support or approval from a state.’

Although the facts are less than definitively established, the EJIL: Talk! editors have asked us to analyse the incident on the assumption that it is factually and legally attributable to a State. We begin with a peacetime international law survey and conclude with an international humanitarian law (IHL) analysis. Read the rest of this entry…